Code Red: how the new U.S. cyber attack directive will work
White House lays out color-coded plan to deal with growing threat.
A cyber strike team has frozen all connected cars in their tracks. You sit—jammed—on the freeway, hearing report after report of traffic lights shut down, water and power companies hijacked, cell service held hostage by militant online gangs working for a foreign power.
This would be Code Black—the highest level possible—under the White House’s new cyber attack directive, an emergency that “poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or to the lives of U.S. persons.”
The new six-level color schema helps identify the potential severity of the incident to make sure it receives the proper attention, the White House Office of the Press Secretary said in a statement about Presidential Policy Directive 41.
“The schema establishes a common framework for evaluating and assessing cyber incidents to ensure that all Federal departments and agencies have a common view of the severity of a given incident, the consequent urgency of response efforts, and the need for escalation to senior levels,” the statement said.
In addition, President Barack Obama laid out which agencies will respond to cyber incidents—and how.
“First of all, this is a pretty good thing,” said Jim Feely with Archer Security Group. “It’s the first step for our government to be able to bring all its cyber resources to bear on a cyber attack on our national resources.”
It also comes at a time when big hacks are in the news. The FBI is currently investigating the hack into the Democratic National Committee computers, where spies stole e-mails and information that Democrats had dug up on Republican presidential nominee Donald Trump.
Red, white & orange
The color scale starts at white, or level zero, for “unsubstantiated or inconsequential events.”
It passes through green and yellow, for low and medium, orange for high, and then hits red, an event that is “likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.” The only level worse is black.
If the government decides a cyber attack is at orange or higher, the new directive kicks in, according to the White House statement.
Who do you call?
Who do you contact to report a Code Orange, Red, or Black event?
The directive says the U.S. Department of Justice and its Federal Bureau of Investigation will be the federal lead agency for “threat response”—investigating the crime and tracking down the bad guys. The Department of Homeland Security will be the lead for “asset response,” which helps the victims detect the bad guys on their systems and repair the damage.
Think of a cyber incident as a fire, said an e-mail advisory from DHS’ Industrial Control Systems Joint Working Group. DHS would be like the firefighters, putting out the flames and rebuilding the house to make it more fireproof, according to the analogy. Federal law enforcement would be like police, working to identify and catch the criminals.
The Justice Department and Homeland Security will also maintain a fact sheet explaining how people and companies outside of government can contact the appropriate federal agency about a cyber incident, according to the directive.
“It spells out which federal agencies are responsible. And it will help answer a question heard too often from corporations and citizens alike—‘In the wake of an attack, who do I call for help?’” Lisa Monaco, the President’s homeland security adviser, said at a cybersecurity conference in New York Tuesday, according to USA Today.
Some cybersecurity experts see potential problems with the new cyber attack directive.
“I’m seeing a color and that color is RED,” said Paul Golden with Archer Security Group. “What good is this proposed color-coded cyber security threat level going to do when it is generally an indication that hackers or foreign governments have discovered a weakness in a system’s cyber security controls due to the fact that some employee or government official has failed to follow cyber security policies, processes or procedures?”
The color schema would not prevent cyber incidents from happening, but instead show that they already have happened.
“If individuals are not held accountable for failures to follow policy, then there is no incentive for others to follow policy,” Golden said. “Will they only follow policy when the threat is at its highest color coded level? Too late! The data or system has already been breached, or in other words, the proverbial horse has already left the barn.”
Staff & funding
The government may not have the money and people to make the plan work well right away, Feely said.
“Government agencies are already struggling to fill existing cybersecurity roles,” Feely said. “We may need to supercharge the national drive to educate and train competent cybersecurity professionals before the full vision of this directive can be realized. That will take many years.”
The plan will take “not a trivial amount of resources” to carry out, Feely added.
“Will Congress cough up enough funding for this to work, or will agencies have to shift where their limited resources are being used?” he asked.
And when there is an incident, who will pay?
“Will the Department of Agriculture get a bill from DHS and NSA for services rendered?” Feely said. “Will Chase Bank or Target get a bill? Will this eventually lead to a ‘Stupid Internet User Law’ like Arizona’s Stupid Motorist Law?”
The so-called “Stupid Motorist Law” says drivers who go around safety barricades on flooded streets in Arizona are liable for the cost of rescuing the car or themselves.
A “Stupid Internet User Law” might make cyber crime victims liable if they did not take proper steps to protect themselves. In March, Britain’s most senior police officer came under fire for suggesting that cyber crime victims who did not improve their passwords and use antivirus software should not get refunds from their banks, reported The Guardian.
The next step
Next, agencies will put together a National Cyber Incident Response Plan, due in six months.
“This Plan will set out how the federal government will work with the private sector and state, local, and territorial governments in responding to a significant cyber incident,” said DHS Secretary Jeh Johnson in a statement.
These efforts, however, may be for naught. In six months, there will be another president in the White House who may or may not agree with President Obama’s assessments in the directive.
“The nature of cyberspace requires individuals, organizations, and the government to all play roles in incident response,” wrote the President. “Furthermore, effective incident response efforts will help support an open, interoperable, secure, and reliable information and communications infrastructure that promotes trade and commerce, strengthens international security, fosters free expression, and reinforces the privacy and security of our citizens.”
In the meantime, you may want to hope for ‘level zero’ incidents only. But if you do need to report a cyber crime, cybersecurity expert Graham Cluley provides this guide.